Interoperability Report for Forwarding and Control Element Separation (ForCES)

Abstract

This document captures the results of the second Forwarding and Control Element Separation (ForCES) interoperability test that took place on February 24-25, 2011, in the Internet Technology Lab (ITL) at Zhejiang Gongshang University, China. The results of the first ForCES interoperability test were reported in RFC 6053, and this document updates RFC 6053 by providing further interoperability results.

Status of This Memo

This document is not an Internet Standards Track specification; it is published for informational purposes.

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

Copyright Notice

Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

This document captures the results of the second interoperability test of the Forwarding and Control Element Separation (ForCES) that took place on February 24-25, 2011, in the Internet Technology Lab (ITL) at Zhejiang Gongshang University, China. The test involved protocol elements described in several documents, namely:

The test also involved protocol elements described in the then- current versions of two Internet-Drafts. Although these documents have subsequently been revised and advanced, it is important to understand which versions of the work were used during this test. The then-current Internet-Drafts are:

Note: The ForCES Logical Function Block (LFB) Library document was published as [RFC6956].

Three independent ForCES implementations participated in the test.

Scenarios of ForCES LFB Operation, TML with IPsec, Control Element High Availability (CEHA), and Packet Forwarding were constructed. Series of testing items for every scenario were carried out and interoperability results were achieved. The popular packet analyzers Ethereal/Wireshark [Ethereal] and Tcpdump [Tcpdump] were used to verify the wire results.

This document is an update to [RFC6053], which captured the results of the first ForCES interoperability test. The first test on ForCES was held in July 2008 at the University of Patras, Greece. That test focused on validating the basic semantics of the ForCES protocol and ForCES Forwarding Element (FE) model.

The ForCES protocol works in a master-slave mode in which FEs are slaves and Control Elements (CEs) are masters. The protocol includes commands for transport of Logical Function Block (LFB) configuration

The ForCES FE model [RFC5812] presents a formal way to define FE LFBs using XML. LFB configuration components, capabilities, and associated events are defined when the LFB is formally created. The LFBs within the FE are accordingly controlled in a standardized way by the ForCES protocol.

The ForCES Transport Mapping Layer (TML) transports the ForCES protocol layer messages. The TML is where the issues of how to achieve transport-level reliability, congestion control, multicast, ordering, etc., are handled. It is expected that more than one TML will be standardized. RFC 5811 specifies a TML that is based on the Stream Control Transmission Protocol (SCTP) and is a mandated TML for ForCES. See RFC 5811 for more details.

The second ForCES interoperability test meeting was held by the IETF ForCES Working Group on February 24-25, 2011, and was chaired by Jamal Hadi Salim. Three independent ForCES implementations participated in the test:

o Zhejiang Gongshang University/Hangzhou BAUD Corporation of Information and Networks Technology (Hangzhou BAUD Networks), China. This implementation is referred to as "ZJSU" or "Z" in this document for the sake of brevity.

o NTT Corporation, Japan. This implementation is referred to as "NTT" or "N" in this document for the sake of brevity.

o The University of Patras, Greece. This implementation is referred to as "UoP" or "P" in this document for the sake of brevity.

Wang, et al. Informational [Page 4]

RFC 6984 ForCES Interop Report August 2013

Two other organizations, Mojatatu Networks and Hangzhou BAUD Networks Corporation, which independently extended two different well-known public domain protocol analyzers, Ethereal/Wireshark [Ethereal] and Tcpdump [Tcpdump], also participated in the interoperability test. During the test, the two protocol analyzers were used to verify the validity (and in some cases, the semantics) of ForCES protocol messages.

Some issues related to interoperability among implementations were discovered. Most of the issues were solved on site during the test. The most contentious issue found was on the format of encapsulation for the protocol TLVs (refer to Section 5.1).

Some errata related to the ForCES document were found by the interoperability test. The errata found in related RFCs have also been reported.

At times, interoperability testing was exercised between two instead of all three representative implementations because the third one lacked a specific feature; however, in ensuing discussions, all implementers mentioned they would be implementing any missing features in the future.

NTT and ZJSU were physically present for the testing at the Internet Technology Lab (ITL) at Zhejiang Gongshang University in China. The implementation team from the University of Patras joined remotely from Greece. The chair, Jamal Hadi Salim, joined remotely from Canada by using TeamViewer as the monitoring tool [TeamViewer]. The approach was as shown in Figure 1. In the figure, FE/CE refers to the FE or CE that the implementer may act as alternatively.

The CEs and FEs from ZJSU's and NTT's implementations were physically located within the ITL Lab at Zhejiang Gongshang University and connected together using Ethernet switches. The configuration can be seen in Figure 2. In the figure, SmartBits [SmartBits] is a third- party routing protocol testing machine that acts as a router running Open Shortest Path First (OSPF) and RIP, and exchanges routing protocol messages with ForCES routers in the network. Connection to the Internet was via an Asymmetric Digital Subscriber Line (ADSL) channel.

The CE and FE from the UoP implementation were located within the University of Patras, Greece, and were connected together using LAN, as shown in Figure 3. Connection to the Internet was via a VPN channel.

In order to make interoperability more credible, the three implementers were required to carry out the test acting as a CE or FE alternatively. As a result, every LFB operation was combined with six scenarios, as shown by Figure 4.

The test scenario was designed with the following purposes.

Firstly, the scenario was designed to verify all kinds of protocol messages with their complex data formats, which were defined in [RFC5810]. Specifically, we tried to verify the data format of a PATH-DATA-TLV with nested PATH-DATA-TLVs, and the operation (SET, GET, and DEL) of an array or an array with a nested array.

Secondly, the scenario was designed to verify the definition of ForCES LFB Library [LFB-LIB], which defined a base set of ForCES LFB classes for typical router functions. Successful tests under this scenario would help the validity of the LFB definitions.

This scenario was designed to implement a TML with IPsec, which was the requirement defined by RFC 5811. TML with IPsec was not implemented and tested in the first ForCES interoperability test, as reported in RFC 6053. For this reason, in this interoperability test, we specifically designed the test scenario to verify the TML over IPsec channel.

In this scenario, tests on LFB operations for Scenario 1 were repeated with the difference that TML was secured via IPsec. This setup scenario allowed us to verify whether all interactions between the CE and FE could be made correctly under an IPsec TML environment.

The connection diagram for this scenario is shown in Figure 5. Because an unfortunate problem with the test system in the UoP prevented the deployment of IPsec over TML, this test only took place between the test systems in ZJSU and NTT.

In this scenario, ForCES TML was run over the IPsec channel. Implementers joined in this interoperability test using the same third-party software 'Racoon' [Racoon] to establish the IPsec channel.

The Racoon in NetBSD is an Internet Key Exchange (IKE) daemon that performs the key exchange with the peers. Both IKEv1 and IKEv2 are supported by Racoon in Linux 2.6, and IKEv2 was adopted in the interop test. The Security Association Database (SAD) and Security Policy Database (SPD) were necessary for the test, setups of which were in the Racoon configuration file. The Encapsulating Security Payload (ESP) was specified in the SAD and SPD in the Racoon configuration file.

ZJSU and NTT conducted a successful test with the scenario, and the IPsec requirement items in [RFC5812] were realized.

In this scenario, one FE was connected and associated to a master CE and a backup CE. In the pre-association phase, the FE would be configured to have ZJSU's or NTT's CE as the master CE and the UoP's CE as the standby CE. The CEFailoverPolicy component of the FE Protocol Object LFB that specified whether the FE was in High Availability mode (value 2 or 3) would be set either in the pre- association phase by the FE interface or in the post-association phase by the master CE.

If the CEFailoverPolicy value was set to 2 or 3, the FE (in the post- association phase) would attempt to connect and associate with the standby CE.

When the master CE was deemed disconnected, either by a TearDown, Loss of Heartbeats, or physically disconnected, the FE would assume that the standby CE was now the master CE. The FE would then send an Event Notification, Primary CE Down, to all associated CEs (only the standby CE in this case) with the value of the new master Control Element ID (CEID). The standby CE would then respond by sending a configuration message to the CEID component of the FE Protocol Object with its own ID to confirm that the CE considered itself the master as well.

The steps of the CEHA test scenario were as follows:

1. In the pre-association phase, the FE is set up with the master CE and the backup CE.

2. The FE connects and associates with the master CE.

3. When CEFailoverPolicy is set to 2 or 3, the FE connects and associates with the backup CE.

Wang, et al. Informational [Page 10]

RFC 6984 ForCES Interop Report August 2013

4. Once the master CE is considered disconnected, then the FE chooses the first associated backup CE.

5. It sends an Event Notification that specifies the master CE is down and identifies the new master CE.

6. The new master CE sends a SET Configuration message to the FE; the FE then sets the CEID value to the new master CE completing the switch.

This test scenario was conducted to verify LFBs like RedirectIn, RedirectOut, IPv4NextHop, and IPv4UcastLPM, which were defined by the ForCES LFB library document [LFB-LIB], and more importantly, to verify the combination of the LFBs to implement IP packet forwarding.

In case (a), NTT's CE was connected to ZJSU's FE to form a ForCES router. A SmartBits [SmartBits] test machine equipped with routing protocol software was used to simulate an OSPF router and was connected with the ForCES router to try to exchange OSPF Hello packets and Link State Advertisement (LSA) packets among them. Terminals were simulated by SmartBits to send and receive packets. As a result, the CE in the ForCES router needed to be configured to run and support the OSPF routing protocol.

In case (b), ZJSU'S CE was connected to NTT'S FE to form a ForCES router. Two routers running OSPF were simulated and connected to the ForCES router to test if the ForCES router could support the OSPF protocol and support packet forwarding.

In case (c), two ForCES routers were constructed; one was with NTT's CE and ZJSU's FE, and the other was with NTT's FE and ZJSU's CE. OSPF and packet forwarding were tested in the environment.

The testing process for this scenario is shown below:

1. Boot terminals and routers, and set the IP addresses of their interfaces.

2. Boot the CE and FE.

3. Establish an association between the CE and FE, and set the IP addresses of the FE interfaces.

4. Start OSPF among the CE and routers, and set the Forwarding Information Base (FIB) on the FE.

The test results are reported in Figure 8. As mentioned earlier, for convenience, the following abbreviations are used in the table: "Z" for the implementation from ZJSU, "N" for the implementation from NTT, and "P" for the implementation from the UoP.

In this scenario, the ForCES TML was run over IPsec. Implementers joined this interoperability test and used the same third-party tool software 'Racoon' [Racoon] to establish the IPsec channel. Typical LFB operation tests as in Scenario 1 were repeated with the IPsec-enabled TML.

As mentioned, this scenario only took place between implementers from ZJSU and NTT.

In this scenario, one FE connected and associated with a master CE and a backup CE. When the master CE was deemed disconnected, the FE attempted to find another associated CE to become the master CE.

The CEHA scenario, as described in Scenario 3, was completed successfully for both setups.

Due to a bug in one of the FEs, an interesting issue was caught: it was observed that the buggy FE took up to a second to failover. It was eventually found that the issue was due to the FE's prioritization of the different CEs. All messages from the backup CE were being ignored unless the master CE was disconnected.

Wang, et al. Informational [Page 20]

RFC 6984 ForCES Interop Report August 2013

While the bug was fixed and the CEHA scenario was completed successfully, the authors felt it was important to capture the implementation issue in this document. The recommended approach is the following:

o The FE should receive and handle messages first from the master CE on all priority channels to maintain proper functionality and then receive and handle messages from the backup CEs.

o Only when the FE is attempting to associate with the backup CEs should the FE receive and handle messages per priority channel from all CEs. When all backup CEs are associated with or deemed unreachable, then the FE should return to receiving and handling messages first from the master CE.

As described in the ForCES LFB library [LFB-LIB], packet forwarding is implemented by a set of LFB classes that compose a processing path for packets. In this test scenario, as shown in Figure 7, a ForCES router running the OSPF protocol was constructed. In addition, a set of LFBs including RedirectIn, RedirectOut, IPv4UcastLPM, and IPv4NextHop were used. RedirectIn and RedirectOut LFBs redirected OSPF Hello and LSA packets from and to the CE. A SmartBits [SmartBits] test machine was used to simulate an OSPF router and exchange the OSPF Hello and LSA packets with the CE in the ForCES router.

In Figure 7, cases (a) and (b) both need a RedirectIn LFB to send OSPF packets generated by the CE to the FE by use of ForCES packet redirect messages. The OSPF packets were further sent to an outside OSPF router by the FE via forwarding LFBs, including IPv4NextHop and IPv4UcastLPM. A RedirectOut LFB in the FE was used to send OSPF packets received from outside the OSPF router to the CE by ForCES packet redirect messages.

By running OSPF, the CE in the ForCES router could generate new routes and load them to the routing table in the FE. The FE was then able to forward packets according to the routing table.

During the test, OSPF packets received from the CE were found by Ethereal/Wireshark to have checksum errors in the FE. Because the test time was quite limited, the implementer of the CE did not make an effort to find and solve the checksum error; instead, the FE had tried to correct the checksum in order to not let the SmartBits drop the packets. Note that such a solution does not affect the test results.

Comment on tests #16 and #17:

The two test items failed. Note that tests #7 and #8 were identical to tests #16 and #17, only with CE and FE implementers being exchanged. Moreover, tests #12 and #13 showed that the redirect channel worked well. Therefore, it can be reasonably inferred that the problem caused by the failure was from the implementations, rather than from the ForCES protocol itself or the misunderstanding of implementations on the protocol specification. Although the failure made the OSPF interoperability test incomplete, it did not show an interoperability problem. More test work is needed to verify the OSPF interoperability.

On the first day of the test, it was found that the LFB interoperations pertaining to tables all failed. It was eventually found that the failure occurred because different data encapsulation methods for ForCES protocol messages were used by different implementations. The issue is described in detail below.

Wang, et al. Informational [Page 23]

RFC 6984 ForCES Interop Report August 2013

Assuming that an LFB has two components, one is a struct with ID=1 and the other is an array with ID=2; in addition, both have two components of u32 inside, as shown below:

When a CE sends a config/query ForCES protocol message to an FE from a different implementer, the CE probably receives a response from the FE with a different PATH-DATA-TLV encapsulation format. For example, if a CE sends a query message with a path of 1 to a third-party FE to manipulate struct1 as defined above, it is probable that the FE will generate a response with two different PATH-DATA-TLV encapsulation formats: one is the value with FULLDATA-TLV/SPARSEDATA-TLV and the other is the value with many parallel PATH-DATA-TLVs and nested PATH-DATA-TLVs, as shown below:

The interoperability testers witnessed that a ForCES element (CE or FE) sender is free to choose whatever data structure that IETF ForCES documents define and best suits the element, while a ForCES element (CE or FE) should be able to accept and process information (requests and responses) that use any legitimate structure defined by IETF ForCES documents. While in the case where a ForCES element is free

Wang, et al. Informational [Page 24]

RFC 6984 ForCES Interop Report August 2013

to choose any legitimate data structure as a response, it is preferred that the ForCES element responds in the same format that the request was made, as it is most likely the data structure that the request sender looks to receive.

2. On Operation to Array

An array operation may also have several different data encapsulation formats. For instance, if a CE sends a config message to table1 with a path of (2.1), which refers to the component with ID=2 (an array), and the second ID is the row, then row 1 may be encapsulated with three formats as shown below:

The interoperability test experience has shown that formats 1 and 3, which take full advantage of the multiple data elements description in one TLV of FULLDATA-TLV, are more efficient, although format 2 can also achieve the same operating goal.

Wang, et al. Informational [Page 25]

RFC 6984 ForCES Interop Report August 2013

6. Security Considerations

Developers of ForCES FEs and CEs must take the security considerations of the ForCES Framework [RFC3746] and ForCES Protocol Specification [RFC5810] into account. Also, as specified in the security considerations of SCTP-Based TML for the ForCES Protocol [RFC5811], the transport-level security has to be ensured by IPsec. Test results of TML with IPsec supported have been shown inSection 4.2 in this document.

The tests described in this document used only simple password security mode. Testing using more sophisticated security is for future study.

Further testing using key agility is encouraged. The tests reported here used SCTP TML running over an IPsec tunnel, which was established by Racoon. Key negotiation formed part of this process, but we believe that the SCTP TML used does not include key agility or renegotiation.